neshta | 82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427

General

Target

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
Size

286KB
MD5

b19687d5d2b1abb22d6c01be18c97830
SHA1

eb9eea88999484a3386015103fe73bf45014db98
SHA256

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427
SHA512

3ad332a12562ac2fc99d8f1b3a9d6c48f1bdb4c60f41ee7bc543049e03559ec11db367b001d847509fba936467b3bc21f041b34ce7d2a5b1141d01ac2e0b5a03

Score

10^/10

neshta persistence spyware stealer

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 53 IoCs

Processes:

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\armsvc.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\WinMail.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

Drops file in Windows directory 1 IoCs

Processes:

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

description ioc process

File opened for modification C:\Windows\svchost.com 82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\svchost.com	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

Modifies registry class 1 IoCs

Processes:

82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe

C:\Users\Admin\AppData\Local\Temp\82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe
"C:\Users\Admin\AppData\Local\Temp\82fe113744575be4819be811427615867765773a4e22bdcebe9a232680815427.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:3800